summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Add option -i to allow oscpcheck to be used to validate an on-disk staplebeck2017-11-282-49/+103
| | | | ok claudio@ benno@
* Add the missing STANDARDS section (kettenis@ noticed that these areschwarze2017-11-281-6/+14
| | | | | POSIX functions) and turn the weird DIAGNOSTICS section into a normal RETURN VALUES section while here.
* Allow TLS ciphers and protocols to be specified for nc(1).jsing2017-11-282-41/+65
| | | | | | | | | | | Replace the "tlscompat" and "tlsall" options with "cipher" and "protocol" options that are key/value pairs. This allows the user to specify ciphers and protocols in a form that are accepted by tls_config_set_ciphers() and tls_config_set_protocols() respectively. ok beck@ (also ok jmc@ for a previous revision of the man page).
* Rewrite ASN1_TYPE_{get,set}_octetstring() using templated ASN.1.jsing2017-11-281-81/+78
| | | | | | | This removes the last remaining use of the old M_ASN1_* macros (asn1_mac.h) from API that needs to continue to exist. ok beck@ inoguchi@
* Add regress coverage for ASN1_TYPE_{get,set}_int_octetstring()jsing2017-11-282-2/+147
|
* Correct TLS extensions handling when no extensions are present.jsing2017-11-281-1/+13
| | | | | | | | If no TLS extensions are present in a client hello or server hello, omit the entire extensions block, rather than including it with a length of zero. ok beck@ inoguchi@
* Add regress test coverage for building clienthello and serverhellojsing2017-11-281-4/+201
| | | | | extensions, both with extensions being present and not present. The not present case currently fails.
* Add regress for CBB_discard_child().jsing2017-11-281-2/+56
| | | | Converted from BoringSSL.
* Add CBB_discard_child(), which allows for a child CBB to be discarded.jsing2017-11-282-2/+22
| | | | Based on BoringSSL.
* GNU ld has prefixed the contents of .gnu.warning.SYMBOL sectionstb2017-11-288-19/+19
| | | | | | | | with "warning: " since 2003, so the messages themselves need not contain the prefix anymore. From Scott Cheloha ok jca, deraadt
* Use clock_gettime and getrusage to compute real and user time.jca2017-11-241-16/+33
| | | | Better handling of clock jumps, from Scott Cheloa.
* Revert recent changes to unbreak ports/net/sambajca2017-11-041-2/+8
| | | | | | | | While it is not clear (to me) why that ports ends up with corrupted shared libs, reverting those changes fixes the issue and should allow us to close p2k17 more smoothly. Discussed with a bunch, ok ajacoutot@ guenther@
* 's' should include 'f'; from Jacqueline Jolicoeurotto2017-11-021-2/+2
|
* openssl s_time -connect host:port needs dns promise for pledge(2) otherwise itmestre2017-11-021-2/+2
| | | | | | | | will SIGABRT Bug found by Scott Cheloha <scottcheloha at gmail.com> OK deraadt@
* Change pthread_cleanup_{push,pop} to macros that store the cleanup infoguenther2017-10-281-8/+2
| | | | | | | | | | | | | | on the stack instead of mallocing the list and move the APIs from libpthread to libc so that they can be used inside libc. Note: the standard was explicitly written to permit/support this "macro with unmatched brace" style and it's what basically everyone else already does. We xor the info with random cookies with a random magic to detect/trip-up overwrites. Major bump to both libc and libpthread due to the API move. ok mpi@
* Use a smaller buffer size too peek the receive data. The contentbluhm2017-10-241-5/+4
| | | | | | is discarded anyway, the plen variable is a leftover from the -j jumbo option. reported by Nan Xiao; OK deraadt@
* Restore a return that was inadvertently removed from freezero() in r1.234,jsing2017-10-191-1/+2
| | | | | | | which results in an internal double free when internal functions are not in use. ok otto@
* add missing HISTORY; based on CVS logs and release announcementsschwarze2017-10-171-2/+7
|
* Add a regression test for ldexp(3).visa2017-10-153-2/+82
|
* Rename ssl3_client_hello() to ssl3_send_client_hello() for consistency.jsing2017-10-122-5/+5
|
* Fold dtls1_accept() into ssl_accept(), removing a lot of duplicated code.jsing2017-10-124-556/+143
| | | | With review/feedback from inoguchi@
* Drop prototypes for ssl23_*() functions, which no longer exist.jsing2017-10-121-11/+1
|
* Add STANDARDS: denis@ spotted that it was missing.schwarze2017-10-121-2/+19
| | | | OK deraadt@ jca@ jmc@
* Update regress now that ssl_cipher_list_to_bytes() takes a CBB.jsing2017-10-111-3/+9
| | | | Based on a diff from doug@
* Convert ssl3_client_hello() to CBB.jsing2017-10-114-93/+64
| | | | | | | As part of this, change ssl_cipher_list_to_bytes() to take a CBB argument, rather than a pointer/length. Some additional clean up/renames while here. Based on a diff from doug@
* Fully convert ssl3_send_server_hello() to CBB.jsing2017-10-113-53/+19
| | | | Based on a diff from doug@
* Revise regress now that ssl_bytes_to_cipher_list() takes a CBS.jsing2017-10-101-20/+10
|
* Make ssl_bytes_to_cipher_list() take a CBS, rather than a pointer andjsing2017-10-103-29/+19
| | | | | length, since the caller has already been converted to CBS. A small amount of additional clean up whilst here.
* ((remove) (some) (unnecessary) (parentheses))jsing2017-10-101-4/+4
| | | | Part of a diff from doug@
* Merge dtls1_connect() into ssl3_connect(), removing a large amount ofjsing2017-10-104-459/+117
| | | | | | | | duplicated code. For now this is essentially adds a diff of the two functions with 'if (SSL_IS_DTLS(s))' - further clean up and improvement will follow. ok inoguchi@
* Reduce non-functional differences between dtls1_accept() andjsing2017-10-081-34/+42
| | | | ssl3_accept() - synchronise comments, whitespace, line wrapping, etc.
* Reduce non-functional differences between dtls1_connect() andjsing2017-10-081-32/+38
| | | | ssl3_connect() - synchronise comments, whitespace, line wrapping, etc.
* Fix some style/whitespace/indentation issues in ssl3_accept().jsing2017-10-081-25/+14
|
* Fix some style/whitespace/indentation issues in ssl3_connect().jsing2017-10-081-10/+9
|
* Convert ssl3_send_change_cipher_spec() to use CBB and make it handle DTLS,jsing2017-10-086-57/+52
| | | | | | which allows us to drop dtls1_send_change_cipher_spec() entirely. ok inoguchi@
* hyphenate DER/PEM-encoded, for consistency;jmc2017-10-082-9/+9
|
* Document tls_peer_cert_chain_pem().jsing2017-10-071-2/+13
| | | | ok beck@
* Fix cast-pasto's in commentsguenther2017-10-071-3/+3
|
* do not return f() where f is a void function; loop var type fixotto2017-10-051-4/+5
|
* Use dprintf instead of snprintf/writeotto2017-10-051-82/+36
|
* bump version in advance of final releasebcook2017-09-261-3/+3
|
* bump wo 2.6.2libressl-v2.6.2bcook2017-09-261-3/+3
|
* If tls_config_parse_protocols() is called with a NULL pointer, return thejsing2017-09-251-1/+4
| | | | | default protocols instead of crashing - this makes the behaviour more useful and mirrors what we already do in tls_config_set_ciphers() et al.
* Annotate some API-side memory leaks for future resolution.jsing2017-09-251-1/+3
|
* Fix various issues in the OCSP extension parsing code:jsing2017-09-251-20/+14
| | | | | | | | | | | | | | | | | | - When parsing the OCSP extension we can have multiple responder IDs - pull these out correctly. - Stop using CBS_stow() - it's unnecessary since we just need access to the data and length (which we can get via CBS_data() and CBS_len()). - Use a temporary pointer when calling d2i_*() functions, since it will increment the pointer by the number of bytes it consumed when decoding. The original code incorrectly passes the pointer allocated via CBS_stow() (using malloc()) to a d2i_*() function and then calls free() on the now incremented pointer, most likely resulting in a crash. This issue was reported by Robert Swiecki who found the issue using honggfuzz. ok beck@
* When building the OCSP extension, only add the length prefixed extensionsjsing2017-09-251-6/+6
| | | | | | | after we finish building the responder ID list. Otherwise adding to the responder ID list fails. ok beck@
* Make delayed free non-optional and make F do an extensive double free check.otto2017-09-231-21/+26
| | | | ok tb@ tedu@
* Keep track of which keypair is in use by a TLS context.jsing2017-09-204-14/+25
| | | | | | | | | | This fixes a bug where by a TLS server with SNI would always only return the OCSP staple for the default keypair, rather than returning the OCSP staple associated with the keypair that was selected via SNI. Issue reported by William Graeber and confirmed by Andreas Bartelt. Fix tested by William Graeber and Andreas Bartelt - thanks!
* Slightly restructure tls_ocsp_verify_cb() to make it more like libtls code.jsing2017-09-201-6/+7
|
* Provide a useful error if there are no OCSP URLs in the peer certificate.jsing2017-09-201-1/+4
|
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-31 05:47:28 +0000